1357 matches found
Authentication Bypass
moodle/moodle is vulnerable to an authentication bypass. The vulnerability is due to improper enforcement of multi-factor authentication logic under certain conditions, which allows an attacker with valid credentials to bypass MFA and gain unauthorized access to user accounts...
New Advanced Phishing Kits Use AI and MFA Bypass Tactics to Steal Credentials at Scale
Cybersecurity researchers have documented four new phishing kits named BlackForce, GhostFrame, InboxPrime AI, and Spiderman that are capable of facilitating credential theft at scale. BlackForce, first detected in August 2025, is designed to steal credentials and perform Man-in-the-Browser MitB...
CVE-2025-67507
Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.3.0 contain a flaw in the handling of recovery codes for app-based multi-factor authentication, allowing the same recovery code to be reused indefinitely. This issue does not affect...
CVE-2025-67495
ZITADEL is an open-source identity infrastructure tool. Versions 4.0.0-rc.1 through 4.7.0 are vulnerable to DOM-Based XSS through the Zitadel V2 logout endpoint. The /logout endpoint insecurely routes to a value that is supplied in the postlogoutredirect GET parameter. As a result, unauthenticate...
Authentication Bypass Using an Alternate Path or Channel
Overview filament/filament is an A collection of full-stack components for accelerated Laravel app development. Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel due to the handling of recovery codes for app-based multi-factor...
CVE-2025-67507 Filament's multi-factor authentication (app) recovery codes can be used multiple times
Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.3.0 contain a flaw in the handling of recovery codes for app-based multi-factor authentication, allowing the same recovery code to be reused indefinitely. This issue does not affect...
CVE-2025-67507 Filament's multi-factor authentication (app) recovery codes can be used multiple times
Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.3.0 contain a flaw in the handling of recovery codes for app-based multi-factor authentication, allowing the same recovery code to be reused indefinitely. This issue does not affect...
EUVD-2025-202172
Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.3.0 contain a flaw in the handling of recovery codes for app-based multi-factor authentication, allowing the same recovery code to be reused indefinitely. This issue does not affect...
PT-2025-50298
Name of the Vulnerable Software and Affected Versions Filament versions 4.0.0 through 4.3.0 Description Filament, a collection of full-stack components for accelerated Laravel development, has an issue in how it manages recovery codes for application-based multi-factor authentication. The flaw...
Filament 安全漏洞
Filament is a collection of full-stack components for accelerated Laravel development from the Filament open source. A security vulnerability exists in Filament versions 4.0.0 through 4.3.0, which stems from a flaw in the handling of application-based multi-factor authentication recovery code tha...
CVE-2025-67495 ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login
ZITADEL is an open-source identity infrastructure tool. Versions 4.0.0-rc.1 through 4.7.0 are vulnerable to DOM-Based XSS through the Zitadel V2 logout endpoint. The /logout endpoint insecurely routes to a value that is supplied in the postlogoutredirect GET parameter. As a result, unauthenticate...
CVE-2025-67495
ZITADEL’s DOM-Based XSS in Zitadel V2 logout (CVE-2025-67495) affects 4.0.0-rc.1 through 4.7.0 via the /logout endpoint, where the post_logout_redirect parameter could be used to route malicious JavaScript to a user’s browser. The issue requires multiple active sessions in the same browser and is...
GHSA-PVCV-Q3Q7-266G Filament multi-factor authentication (app) recovery codes can be used multiple times
A flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused indefinitely. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. If an attacker gains access to both the user's password and...
PT-2025-50278
Name of the Vulnerable Software and Affected Versions ZITADEL versions 4.0.0-rc.1 through 4.7.0 Description ZITADEL, an open-source identity infrastructure tool, is susceptible to a DOM-Based Cross-Site Scripting XSS issue through the Zitadel V2 logout endpoint. The /logout API endpoint insecurel...
Cross-site Scripting (XSS)
Overview github.com/zitadel/zitadel/internal/api/oidc is a package for identity infrastructure Affected versions of this package are vulnerable to Cross-site Scripting XSS via the postlogoutredirect parameter in the logout process. An attacker can execute arbitrary JavaScript code in the context ...
Open Redirect
Overview github.com/zitadel/zitadel/internal/api/oidc is a package for identity infrastructure Affected versions of this package are vulnerable to Open Redirect via manipulation of the Forwarded or X-Forwarded-Host headers used to construct password reset confirmation links. An attacker can gain...
A week in security (December 1 – December 7)
Last week on Malwarebytes Labs: Leaks show Intellexa burning zero-days to keep Predator spyware running How scammers use fake insurance texts to steal your identity Canadian police trialing facial recognition bodycams Update Chrome now: Google fixes 13 security issues affecting billions Attackers...
CVE-2025-27935
The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication...
CVE-2025-27935
The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication...
CVE-2025-27935 Authentication Bypass in OTP (One-time Passcode) IdP Adapter Integration Kit
The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication...